FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 01-22-2009, 02:07 PM
John Hinton
 
Default SquirrelMail Sending Under Wrong Username

CentOS team... as is already bug reported and marked solved... as we
await the upstream repair for this.

It was reported that this was happening on CentOS 5. You likely already
know, but it also happens on CentOS 4.

For those unaware. It seems that SquirrelMail has an issue which allows
mail to be sent out from one user on the system and it uses the from
address of another user on the system. Apparently, both users need to be
logged into SM at the same time.

My client reported that when he sent the affected message, he received a
connection lost notice. He logged in again, stated that the email was in
fact sent. The recipient of that email asked what was up with the odd
from address. Looking at the headers from that message, they do in fact
show adifferentusername@thisparticularservername.com.

This is about the most embarrassing thing that's ever happened with my
servers. Obviously the affected user is not feeling very secure. It does
invite the recipient to reply to the wrong address which could be bad on
so many levels (imagine having a few local law firms hosted on the same
server?). I view this as a horrid security issue. If maybe the CentOS
team might be so kind as to push the SquirrelMail update to the front
when it's ready, that would be greatly appreciated.

John Hinton
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-23-2009, 03:59 PM
Joe Pruett
 
Default SquirrelMail Sending Under Wrong Username

the problem is mixed up session ids. i have made a quick patch based on
the upstream update. i've attached it. it is for the c4 version,
but probably would apply to c5. apply it with:


cd /usr/share/squirrelmail
patch -p3 < FILE

also, after this sometimes customers will have to clear the SQMSESSID
cookie from their browser or they won't be able to login.diff -ru /usr/share/squirrelmail/functions/global.php usr/share/squirrelmail/functions/global.php
--- /usr/share/squirrelmail/functions/global.php 2009-01-14 13:40:23.000000000 -0800
+++ usr/share/squirrelmail/functions/global.php 2009-01-21 13:49:14.000000000 -0800
@@ -123,6 +123,10 @@
ini_set('session.use_cookies','1');
}

+/* Make sure to have $base_uri always initialized to avoid having session
+ cookie set twice (for $base_uri and $base_uri/src. */
+$base_uri = sqm_baseuri();
+
/* convert old-style superglobals to current method
* this is executed if you are running PHP 4.0.x.
* it is run via a require_once directive in validate.php
@@ -379,9 +383,12 @@

global $base_uri;

- if (isset($_COOKIE[session_name()])) sqsetcookie(session_name(), ', 0, $base_uri);
- if (isset($_COOKIE['username'])) sqsetcookie('username', ', 0, $base_uri);
- if (isset($_COOKIE['key'])) sqsetcookie('key', ', 0, $base_uri);
+ if (isset($_COOKIE[session_name()])) {
+ sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri);
+ sqsetcookie(session_name(), $_COOKIE[session_name()], 1, $base_uri."src/");
+ }
+ if (isset($_COOKIE['username'])) sqsetcookie('username', ', 1, $base_uri);
+ if (isset($_COOKIE['key'])) sqsetcookie('key', ', 1, $base_uri);

$sessid = session_id();
if (!empty( $sessid )) {
@@ -428,6 +435,12 @@
// could be: sq_call_function_suppress_errors('session_start');
$session_id = session_id();

+ // make sure 'deleted' is never a valid session identifier
+ if ($session_id == 'deleted') {
+ session_regenerate_id();
+ $session_id = session_id();
+ }
+
// session_starts sets the sessionid cookie but without the httponly var
// setting the cookie again sets the httponly cookie attribute
//
diff -ru /usr/share/squirrelmail/functions/strings.php usr/share/squirrelmail/functions/strings.php
--- /usr/share/squirrelmail/functions/strings.php 2009-01-14 13:40:25.000000000 -0800
+++ usr/share/squirrelmail/functions/strings.php 2009-01-21 13:49:16.000000000 -0800
@@ -16,7 +16,7 @@
* SquirrelMail version number -- DO NOT CHANGE
*/
global $version;
-$version = '1.4.8-5.el4.centos.2';
+$version = '1.4.8-5.3';

/**
* SquirrelMail internal version number -- DO NOT CHANGE
Binary files /usr/share/squirrelmail/images/sm_logo.png and usr/share/squirrelmail/images/sm_logo.png differ
Only in /usr/share/squirrelmail/plugins: abook_import_export
Only in /usr/share/squirrelmail/plugins: address_add
Only in /usr/share/squirrelmail/plugins: change_pass
Only in /usr/share/squirrelmail/plugins: gpg
Only in /usr/share/squirrelmail/plugins: vacation_local
Only in /usr/share/squirrelmail/plugins: vacation_spire
Only in /usr/share/squirrelmail/plugins: virtualtable
diff -ru /usr/share/squirrelmail/src/redirect.php usr/share/squirrelmail/src/redirect.php
--- /usr/share/squirrelmail/src/redirect.php 2009-01-14 13:40:23.000000000 -0800
+++ usr/share/squirrelmail/src/redirect.php 2009-01-21 13:49:14.000000000 -0800
@@ -71,6 +71,9 @@
if (!sqsession_is_registered('user_is_logged_in')) {
do_hook ('login_before');

+ // make sure to regenerate session id upon user login
+ session_regenerate_id();
+
$onetimepad = OneTimePadCreate(strlen($secretkey));
$key = OneTimePadEncrypt($secretkey, $onetimepad);
sqsession_register($onetimepad, 'onetimepad');
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-23-2009, 05:09 PM
Tru Huynh
 
Default SquirrelMail Sending Under Wrong Username

On Thu, Jan 22, 2009 at 10:07:03AM -0500, John Hinton wrote:
> CentOS team... as is already bug reported and marked solved... as we
> await the upstream repair for this.
>
> It was reported that this was happening on CentOS 5. You likely already
> know, but it also happens on CentOS 4.

I will **try** to push it tonight or this week-end.

Tru
--
Tru Huynh (mirrors, CentOS-3 i386/x86_64 Package Maintenance)
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBEFA581B
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 05:51 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org